Previous Article Next Article Apache 模組 mod_ssl — 讓網站的連線過程加密
Posted in WWW

Apache 模組 mod_ssl — 讓網站的連線過程加密

Apache 模組 mod_ssl — 讓網站的連線過程加密 Posted on 2006 年 11 月 04 日Leave a comment

CentOS4.4 Final

安裝 httpd 與 mod_ssl 套件

設定 SSL 的地方
   /etc/httpd/conf.d/ssl.conf

放 key 的地方,套件就已附 key 了
   /etc/httpd/conf/ssl.*           

非 SSL
   echo "no SSL" > /var/www/html/index.html
   vi /etc/httpd/conf/httpd.conf

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName nossl.ssorc.tw
    ErrorLog logs/nossl.ssorc.tw-error_log
    CustomLog logs/nossl.ssorc.tw-access_log common
</VirtualHost>

建立要作 SSL 的目錄
   mkdir /var/www/html/ssl
   echo "SSL" > /var/www/html/ssl/index.html
   vi /etc/httpd/conf.d/ssl.conf

<VirtualHost _default_:443>
DocumentRoot "/var/www/html/ssl"
ServerName abc.com:443

SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

單純測試時記得設定 hosts

如果要自作憑證參考:
   http://ssorc.tw/?p=42
   http://ssorc.tw/?p=259

快速產生不用密碼的憑證
   openssl req -new -x509 -keyout server.key -out server.crt -days 365 -newkey rsa:1024 -nodes -subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/emailAddress=cross@ssorc.tw'

Client authentication
在/etc/httpd/conf.d/ssl.conf 中有個功能,為用戶驗證功能,也就是Clinet 端這邊匯入一組同一 CA 簽證過來的 key,而瀏覽網頁時要輸入密碼

#SSLVerifyClient require
#SSLVerifyDepth 10

   作法參考:
      http://www.securityfocus.com/infocus/1823
      http://forum.slime.com.tw/thread211482.html

   Client authentication 暫時沒式出來 2007/09/06

至於為何一個 SSL 只能用在一個實體 IP 上
Quote: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

建立多個 SSL 的 Virtual Host
第一個:

<VirtualHost ssl1.ssorc.tw:443>
   DocumentRoot "/var/www/html/ssl1"
   ServerName ssl1.ssorc.tw:443
   ErrorLog logs/ssl1.ssorc.tw-ssl_error_log
   TransferLog logs/ssl1.ssorc.tw-ssl_access_log
   SSLEngine on
   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt-ssl1
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key-ssl1
   CustomLog logs/ssl1.ssorc.tw-ssl_request_log
                     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>

第二個:

<VirtualHost ssl2.ssorc.tw:443>
   DocumentRoot "/var/www/html/ssl2"
   ServerName ssl2.ssorc.tw:443
   ErrorLog logs/ssl2.ssorc.tw-ssl_error_log
   TransferLog logs/ssl2.ssorc.tw-ssl_access_log
   SSLEngine on
   SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt-ssl2
   SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key-ssl2
   CustomLog logs/ssl2.ssorc.tw-ssl_request_log
                     "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
</VirtualHost>

vi /etc/hosts

10.1.1.1   ssl1.ssorc.tw
10.1.1.2   ssl2.ssorc.tw

也可直接指定IP,這也是比較明確的作法

<VirtualHost 10.1.1.1:443>
..
.
<VirtualHost 10.1.1.2:443>
..
.

只要 Apache 查到兩個 domain 指到同一 IP 是會無法啟動成功的
如果你要指定為<VirtualHost *:443> 也是不能成功的
 

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *